DnsPlugins/OVH.ps1
|
function Add-DnsTxtOVH { [CmdletBinding(DefaultParameterSetName='Secure')] param( [Parameter(Mandatory,Position=0)] [string]$RecordName, [Parameter(Mandatory,Position=1)] [string]$TxtValue, [Parameter(Mandatory)] [string]$OVHAppKey, [Parameter(ParameterSetName='Secure',Mandatory)] [securestring]$OVHAppSecret, [Parameter(ParameterSetName='Secure',Mandatory)] [securestring]$OVHConsumerKey, [Parameter(ParameterSetName='Insecure',Mandatory)] [string]$OVHAppSecretInsecure, [Parameter(ParameterSetName='Insecure',Mandatory)] [string]$OVHConsumerKeyInsecure, [ValidateSet('ovh-eu','ovh-us','ovh-ca','soyoustart-eu','soyoustart-ca','kimsufi-eu','kimsufi-ca','runabove-ca')] [string]$OVHRegion = 'ovh-eu', [Parameter(ValueFromRemainingArguments)] $ExtraParams ) Connect-OVH @PSBoundParameters $domain = Find-OVHDomain $RecordName $recShort = $RecordName -ireplace [regex]::Escape(".$domain"), [string]::Empty $rec = Get-OVHTxtRecord $recShort $domain $TxtValue if ($rec) { Write-Debug "Record $RecordName already contains $TxtValue. Nothing to do." } else { # add the record Write-Verbose "Adding a TXT record for $RecordName with value $TxtValue" $query = "$($script:OVHCreds.ApiBase)/domain/zone/$domain/record" $body = @{fieldType='TXT'; subDomain=$recShort; target="`"$TxtValue`""} | ConvertTo-Json -Compress Invoke-OVHRest POST $query $body | Out-Null # add the zone to be saved if ($domain -notin $script:OVHZonesToSave) { $script:OVHZonesToSave += $domain } } <# .SYNOPSIS Add a DNS TXT record to OVH .DESCRIPTION Add a DNS TXT record to OVH .PARAMETER RecordName The fully qualified name of the TXT record. .PARAMETER TxtValue The value of the TXT record. .PARAMETER OVHAppKey The Application Key value associated with the OVH API application you created. .PARAMETER OVHAppSecret The SecureString version of the Application Secret value associated with the OVH API application you created. .PARAMETER OVHAppSecretInsecure The standard string version of the Application Secret value associated with the OVH API application you created. .PARAMETER OVHConsumerKey The SecureString version of the Consumer Key value generated for the API application you created. .PARAMETER OVHConsumerKeyInsecure The standard string version of the Consumer Key value generated for the API application you created. .PARAMETER OVHRegion The region code associated with your OVH account. Must be one of the following: 'ovh-eu','ovh-us','ovh-ca','soyoustart-eu','soyoustart-ca','kimsufi-eu','kimsufi-ca','runabove-ca' .PARAMETER ExtraParams This parameter can be ignored and is only used to prevent errors when splatting with more parameters than this function supports. .EXAMPLE $appSecret = Read-Host -Prompt "App Secret" -AsSecureString PS C:\>$cKey = Read-Host -Prompt "Consumer Key" -AsSecureString PS C:\>$pArgs = @{OVHAppKey='xxxxxxxx'; OVHAppSecret=$appSecret; OVHConsumerKey=$cKey; OVHRegion='ovh-eu'} PS C:\>Add-DnsTxtOVH '_acme-challenge.site1.example.com' 'asdfqwer12345678' @pArgs Adds a TXT record using SecureString parameter values. .EXAMPLE $pArgs = @{OVHAppKey='xxxxxxxx'; OVHAppSecret='yyyyyyyy'; OVHConsumerKey='zzzzzzzz'; OVHRegion='ovh-eu'} PS C:\>Add-DnsTxtOVH '_acme-challenge.site1.example.com' 'asdfqwer12345678' @pArgs Adds a TXT record using standard string parameter values. #> } function Remove-DnsTxtOVH { [CmdletBinding()] param( [Parameter(Mandatory,Position=0)] [string]$RecordName, [Parameter(Mandatory,Position=1)] [string]$TxtValue, [Parameter(Mandatory)] [string]$OVHAppKey, [Parameter(ParameterSetName='Secure',Mandatory)] [securestring]$OVHAppSecret, [Parameter(ParameterSetName='Secure',Mandatory)] [securestring]$OVHConsumerKey, [Parameter(ParameterSetName='Insecure',Mandatory)] [string]$OVHAppSecretInsecure, [Parameter(ParameterSetName='Insecure',Mandatory)] [string]$OVHConsumerKeyInsecure, [ValidateSet('ovh-eu','ovh-us','ovh-ca','soyoustart-eu','soyoustart-ca','kimsufi-eu','kimsufi-ca','runabove-ca')] [string]$OVHRegion = 'ovh-eu', [Parameter(ValueFromRemainingArguments)] $ExtraParams ) Connect-OVH @PSBoundParameters $domain = Find-OVHDomain $RecordName $recShort = $RecordName -ireplace [regex]::Escape(".$domain"), [string]::Empty $rec = Get-OVHTxtRecord $recShort $domain $TxtValue if ($rec) { # delete the record Write-Verbose "Removing TXT record for $RecordName with value $TxtValue" $query = "$($script:OVHCreds.ApiBase)/domain/zone/$domain/record/$($rec.id)" Invoke-OVHRest DELETE $query | Out-Null # add the zone to be saved if ($domain -notin $script:OVHZonesToSave) { $script:OVHZonesToSave += $domain } } else { Write-Debug "Record $RecordName with value $TxtValue doesn't exist. Nothing to do." } <# .SYNOPSIS Remove a DNS TXT record from OVH .DESCRIPTION Remove a DNS TXT record from OVH .PARAMETER RecordName The fully qualified name of the TXT record. .PARAMETER TxtValue The value of the TXT record. .PARAMETER OVHAppKey The Application Key value associated with the OVH API application you created. .PARAMETER OVHAppSecret The SecureString version of the Application Secret value associated with the OVH API application you created. .PARAMETER OVHAppSecretInsecure The standard string version of the Application Secret value associated with the OVH API application you created. .PARAMETER OVHConsumerKey The SecureString version of the Consumer Key value generated for the API application you created. .PARAMETER OVHConsumerKeyInsecure The standard string version of the Consumer Key value generated for the API application you created. .PARAMETER OVHRegion The region code associated with your OVH account. Must be one of the following: 'ovh-eu','ovh-us','ovh-ca','soyoustart-eu','soyoustart-ca','kimsufi-eu','kimsufi-ca','runabove-ca' .PARAMETER ExtraParams This parameter can be ignored and is only used to prevent errors when splatting with more parameters than this function supports. .PARAMETER ExtraParams This parameter can be ignored and is only used to prevent errors when splatting with more parameters than this function supports. .EXAMPLE $appSecret = Read-Host -Prompt "App Secret" -AsSecureString PS C:\>$cKey = Read-Host -Prompt "Consumer Key" -AsSecureString PS C:\>$pArgs = @{OVHAppKey='xxxxxxxxxxx'; OVHAppSecret=$appSecret; OVHConsumerKey=$Key; OVHRegion='ovh-eu'} PS C:\>Remove-DnsTxtOVH '_acme-challenge.site1.example.com' 'asdfqwer12345678' @pArgs Removes a TXT record using SecureString parameter values. .EXAMPLE $pArgs = @{OVHAppKey='xxxxxxxx'; OVHAppSecret='yyyyyyyy'; OVHConsumerKey='zzzzzzzz'; OVHRegion='ovh-eu'} PS C:\>Remove-DnsTxtOVH '_acme-challenge.site1.example.com' 'asdfqwer12345678' @pArgs Removes a TXT record using standard string parameter values. #> } function Save-DnsTxtOVH { [CmdletBinding()] param( [Parameter(ValueFromRemainingArguments)] $ExtraParams ) if ($script:OVHCreds) { # Apply zone modifications foreach ($zone in $script:OVHZonesToSave) { Invoke-OVHRest POST "$($script:OVHCreds.ApiBase)/domain/zone/$zone/refresh" | Out-Null } } <# .SYNOPSIS Notifies OVH to apply zone modifications. .DESCRIPTION Notifies OVH to apply zone modifications. .PARAMETER ExtraParams This parameter can be ignored and is only used to prevent errors when splatting with more parameters than this function supports. #> } ############################ # Helper Functions ############################ # API Docs # https://api.ovh.com/ function Connect-OVH { [CmdletBinding(DefaultParameterSetName='Secure')] param( [Parameter(Mandatory)] [string]$OVHAppKey, [Parameter(ParameterSetName='Secure',Mandatory)] [securestring]$OVHAppSecret, [Parameter(ParameterSetName='Secure',Mandatory)] [securestring]$OVHConsumerKey, [Parameter(ParameterSetName='Insecure',Mandatory)] [string]$OVHAppSecretInsecure, [Parameter(ParameterSetName='Insecure',Mandatory)] [string]$OVHConsumerKeyInsecure, [ValidateSet('ovh-eu','ovh-us','ovh-ca','soyoustart-eu','soyoustart-ca','kimsufi-eu','kimsufi-ca','runabove-ca')] [string]$OVHRegion = 'ovh-eu', [Parameter(ValueFromRemainingArguments)] $ExtraConnectParams ) # generate plain text versions of the secure params we can work with if ('Secure' -eq $PSCmdlet.ParameterSetName) { $OVHAppSecretInsecure = (New-Object PSCredential "user",$OVHAppSecret).GetNetworkCredential().Password $OVHConsumerKeyInsecure = (New-Object PSCredential "user",$OVHConsumerKey).GetNetworkCredential().Password } # determine the region specific API endpoint $apiBase = switch ($OVHRegion) { 'ovh-eu' { 'https://eu.api.ovh.com/1.0'; break } 'ovh-us' { 'https://api.us.ovhcloud.com/1.0'; break } 'ovh-ca' { 'https://ca.api.ovh.com/1.0'; break } 'soyoustart-eu' { 'https://eu.api.soyoustart.com/1.0'; break } 'soyoustart-ca' { 'https://ca.api.soyoustart.com/1.0'; break } 'kimsufi-eu' { 'https://eu.api.kimsufi.com/1.0'; break } 'kimsufi-ca' { 'https://ca.api.kimsufi.com/1.0'; break } 'runabove-ca' { 'https://api.runabove.com/1.0'; break } default { throw "Unknown OVHRegion: $OVHRegion" } } $script:OVHCreds = @{ AppKey = $OVHAppKey AppSecret = $OVHAppSecretInsecure ConsumerKey = $OVHConsumerKeyInsecure ApiBase = $apiBase } $script:OVHZonesToSave = @() } function Invoke-OVHRest { [CmdletBinding()] param( [Parameter(Mandatory)] [string]$Method, [Parameter(Mandatory)] [string]$Url, [string]$Body ) if (-not $script:OVHCreds) { throw "OVH Credentials not found in memory" } $c = $script:OVHCreds # build the string to hash for the signature # AppSecret '+' ConsumerKey '+' Method '+' Query '+' Body '+' Timestamp $unixNow = (Get-DateTimeOffsetNow).ToUnixTimeSeconds() $strToSign = "$($c.AppSecret)+$($c.ConsumerKey)+$($Method)+$($Url)+$($Body)+$($unixNow)" # hash it and make the signature # '$1$' + SHA1_HEX($strToHash) $sha1 = [Security.Cryptography.SHA1CryptoServiceProvider]::new() $strBytes = [Text.Encoding]::UTF8.GetBytes($strToSign) $hashHex = [BitConverter]::ToString($sha1.ComputeHash($strBytes)).Replace('-','').ToLower() $signature = "`$1`$$hashHex" $restArgs = @{ Method = $Method Uri = $Url Headers = @{ 'X-Ovh-Application' = $c.AppKey 'X-Ovh-Timestamp' = $unixNow 'X-Ovh-Signature' = $signature 'X-Ovh-Consumer' = $c.ConsumerKey } ContentType = 'application/json' } # add the body if there is one if ($Body) { $restArgs.Body = $Body } Invoke-RestMethod @restArgs @script:UseBasic -EA Stop } function Find-OVHDomain { [CmdletBinding()] param( [Parameter(Mandatory)] [string]$RecordName ) # setup a module variable to cache the record to zone ID mapping # so it's quicker to find later if (!$script:OVHRecordZones) { $script:OVHRecordZones = @{} } # check for the record in the cache if ($script:OVHRecordZones.ContainsKey($RecordName)) { return $script:OVHRecordZones.$RecordName } # Search for the zone from longest to shortest set of FQDN pieces. $pieces = $RecordName.Split('.') for ($i=1; $i -lt ($pieces.Count-1); $i++) { $zoneTest = "$( $pieces[$i..($pieces.Count-1)] -join '.' )" Write-Debug "Checking $zoneTest" try { # a non-error response indicates the zone exists Invoke-OvhRest GET "$($script:OVHCreds.ApiBase)/domain/zone/$zoneTest" | Out-Null # save the zone name $script:OVHRecordZones.$RecordName = $zoneTest return $zoneTest } catch { # re-throw anything except a 404 because it just means the zone doesn't exist if (404 -ne $_.Exception.Response.StatusCode.value__) { throw } } } throw "No zone found for $RecordName" } function Get-OVHTxtRecord { [CmdletBinding()] param( [Parameter(Mandatory)] [string]$RecordShort, [Parameter(Mandatory)] [string]$Domain, [Parameter(Mandatory)] [string]$TxtValue ) # First we search for just the record and type which only returns a list of record IDs when found $query = "$($script:OVHCreds.ApiBase)/domain/zone/$Domain/record?fieldType=TXT&subDomain=$RecordShort" $recIDs = Invoke-OVHRest GET $query if (-not $recIDs) { return $null } # now we loop through the IDs to request the record details so we can check if the target matches foreach ($id in $recIDs) { $rec = Invoke-OVHRest GET "$($script:OVHCreds.ApiBase)/domain/zone/$Domain/record/$id" if ($rec.target -eq "`"$TxtValue`"") { return $rec } } return $null } function Invoke-OVHSetup { [CmdletBinding()] param( [Parameter(Mandatory,Position=0)] [string]$AppKey, [ValidateSet('ovh-eu','ovh-us','ovh-ca','soyoustart-eu','soyoustart-ca','kimsufi-eu','kimsufi-ca','runabove-ca')] [string]$OVHRegion = 'ovh-eu' ) # So when creating an OVH app key, they don't give you the "Consumer Key" by default. They have # this funky OAuth'ish process where you have to login with the pre-created key/secret. The response # contains what will be your Consumer Key and a generated URL that the user must go to and explicitly # login and grant the permissions you've requested for a particular duration. Thankfully, unlimited # is an option. # # This is a helper function that the user must manually run once in order to generate the Consumer Key # value prior to the first certificate request. # determine the region specific API endpoint $apiBase = switch ($OVHRegion) { 'ovh-eu' { 'https://eu.api.ovh.com/1.0'; break } 'ovh-us' { 'https://api.us.ovhcloud.com/1.0'; break } 'ovh-ca' { 'https://ca.api.ovh.com/1.0'; break } 'soyoustart-eu' { 'https://eu.api.soyoustart.com/1.0'; break } 'soyoustart-ca' { 'https://ca.api.soyoustart.com/1.0'; break } 'kimsufi-eu' { 'https://eu.api.kimsufi.com/1.0'; break } 'kimsufi-ca' { 'https://ca.api.kimsufi.com/1.0'; break } 'runabove-ca' { 'https://api.runabove.com/1.0'; break } default { throw "Unknown OVHRegion: $OVHRegion" } } $header = @{ 'X-Ovh-Application' = $AppKey } $bodyJson = @{ accessRules = @( @{ method = 'GET'; path = '/domain/zone/*' } @{ method = 'GET'; path = '/domain/zone/*/record' } @{ method = 'POST'; path = '/domain/zone/*/record' } @{ method = 'DELETE'; path = '/domain/zone/*/record/*' } @{ method = 'POST'; path = '/domain/zone/*/refresh' } ) redirection = 'https://github.com/rmbolger/Posh-ACME/wiki/OVH-Success-Redirect' } | ConvertTo-Json -Compress $UseBasic = @{} if ('UseBasicParsing' -in (Get-Command Invoke-RestMethod).Parameters.Keys) { $UseBasic.UseBasicParsing = $true } try { $response = Invoke-RestMethod "$($apiBase)/auth/credential" -Method Post -Body $bodyJson ` -Headers $header -ContentType 'application/json' @UseBasic -EA Stop } catch { throw } if (-not $response -or -not $response.state) { throw "Empty auth response state" } if ($response.state -ne 'pendingValidation') { throw "Unexpected auth response: $(($response | ConvertTo-Json -Compress))" } Write-Host "`nPlease visit the following link, select Validity = `"Unlimited`", and then Log In:`n" Write-Host ($response.validationUrl) Read-Host "`nWhen finished, press Enter to continue" | Out-Null Write-Host "`n`nIf log in was successful, you may now use the following Consumer Key value in your plugin args:`n" Write-Host " >>> $($response.consumerKey) <<< " } |